summary refs log tree commit diff
path: root/gnu/packages/patches/gd-CVE-2019-6977.patch
diff options
context:
space:
mode:
authorMarius Bakke <mbakke@fastmail.com>2019-02-20 17:01:39 +0100
committerMarius Bakke <mbakke@fastmail.com>2019-02-20 17:01:39 +0100
commit2c76e19df4b0b4aa0171f1edd9f240f7b6ba5b84 (patch)
treec2e7a7f27dd9c7e704f2e78655328c903a6934d1 /gnu/packages/patches/gd-CVE-2019-6977.patch
parente6a668ec7303a71f87e4c9354b1458e555058c63 (diff)
parent78b2eb1ad3dcf05c25e0ee4980c97aa52de03a2d (diff)
downloadguix-2c76e19df4b0b4aa0171f1edd9f240f7b6ba5b84.tar.gz
Merge branch 'master' into staging
Diffstat (limited to 'gnu/packages/patches/gd-CVE-2019-6977.patch')
-rw-r--r--gnu/packages/patches/gd-CVE-2019-6977.patch36
1 files changed, 36 insertions, 0 deletions
diff --git a/gnu/packages/patches/gd-CVE-2019-6977.patch b/gnu/packages/patches/gd-CVE-2019-6977.patch
new file mode 100644
index 0000000000..b21a8ac619
--- /dev/null
+++ b/gnu/packages/patches/gd-CVE-2019-6977.patch
@@ -0,0 +1,36 @@
+Fix CVE-2019-6977:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6977
+
+Patch copied from Debian:
+
+https://salsa.debian.org/debian/libgd2/commit/2d7d3b68bb79843e5271a05543e996fd5a3a8cd1
+
+Description: Heap-based buffer overflow in gdImageColorMatch
+Origin: other, https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced
+Bug-PHP: https://bugs.php.net/bug.php?id=77270
+Bug-Debian: https://bugs.debian.org/920645
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6977
+Forwarded: no
+Author: "Christoph M. Becker" <cmbecker69@gmx.de>
+Last-Update: 2019-02-01
+
+At least some of the image reading functions may return images which
+use color indexes greater than or equal to im->colorsTotal.  We cater
+to this by always using a buffer size which is sufficient for
+`gdMaxColors` in `gdImageColorMatch()`.
+---
+
+--- a/src/gd_color_match.c
++++ b/src/gd_color_match.c
+@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdIm
+ 		return -4; /* At least 1 color must be allocated */
+ 	}
+ 
+-	buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal);
+-	memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
++	buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors);
++	memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
+ 
+ 	for (x=0; x < im1->sx; x++) {
+ 		for( y=0; y<im1->sy; y++ ) {